How can I add X-Frame-Options selectively using Apache?

Question

I am planning to set X-Frame-Options SAMEORIGIN in my server's httpd.conf as part of improving the defenses against click jacking. I understand this will add the X-Frame-Options header to all pages. There is a "widget" page that I would like to exempt from this (other sites will display this page inside an IFRAME).

Is there a way to configure Apache 2 to not send the header for a specific page alone?

score 3 · Accepted Answer · answered Sep 27 '10 at 18:56

3

Yes, use SetEnvIf:

SetEnvIf Request_URI "^/my_awesome_widget_page.html$" iframes_are_cool
Header set X-Frame-Options SAMEORIGIN env=!iframes_are_cool

answered Sep 27 '10 at 18:56

Mark Wagner

17,764
2
30
47

cherdt · Answer 2 · 2016-02-24T21:31:57.570

0

You can unset the X-Frame-Options header in a .htaccess file (assuming your widget is in its own subdirectory):

Header always unset X-Frame-Options

edited Feb 24 '16 at 21:31

answered Feb 24 '16 at 21:23

cherdt

335
1
3
12

How can I add X-Frame-Options selectively using Apache?

2 Answers2